US7376842B1 - Malware scanning messages containing multiple data records - Google Patents

Malware scanning messages containing multiple data records Download PDF

Info

Publication number
US7376842B1
US7376842B1 US10/096,430 US9643002A US7376842B1 US 7376842 B1 US7376842 B1 US 7376842B1 US 9643002 A US9643002 A US 9643002A US 7376842 B1 US7376842 B1 US 7376842B1
Authority
US
United States
Prior art keywords
data
message
malware
record
payload
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US10/096,430
Inventor
Neil John Hursey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
McAfee LLC
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by McAfee LLC filed Critical McAfee LLC
Priority to US10/096,430 priority Critical patent/US7376842B1/en
Assigned to NETWORKS ASSOICATES TECHNOLOGY, INC. reassignment NETWORKS ASSOICATES TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HURSEY, NEIL JOHN
Assigned to MCAFEE, INC. reassignment MCAFEE, INC. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: NETWORKS ASSOCIATES TECHNOLOGY, INC.
Application granted granted Critical
Publication of US7376842B1 publication Critical patent/US7376842B1/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Definitions

  • This invention relates to the field of data processing systems. More particularly, this invention relates to malware scanning received messages.
  • malware scanners that scan received messages for malware such as computer viruses, worms, Trojans, banned files, banned words, banned images and the like.
  • An example of such a malware scanner is one in which a MIME message received by an e-mail system is scanned to see if it contains malware of any of the above mentioned types.
  • the MIME message protocol is widely used to transfer e-mail messages. It is common for e-mail messages to contain one or more attached files. These attached files often constitute the malware against which it is designed to protect the system.
  • the MIME message format divides the total message into different portions respectively containing an encoded version of the attachment and separated by predetermined tags.
  • MIME messaging Another disadvantage of MIME messaging is that the payload data is encoded.
  • a computer file being transferred within a MIME message is encoded into a new form which is included within the message and requires decoding by the receiver in order to recover the original computer file.
  • This is inefficient in terms of the increased computer processing required.
  • certain computer files may be in a form that is highly compressed and the encoding may make them disadvantageously larger.
  • digital signature and other security measures may be disrupted by the encoding and decoding imposed by the MIME message format.
  • the DIME format In order to address the above problems of the MIME message format that arose through encoding and decoding of computer files, a new message format has been proposed. This is the DIME format.
  • computer files are embedded within the message in their native binary form without encoding.
  • the use of tags to separate different portions of the message can no longer be reliably used since a computer file may as a matter of chance contain a particular sequence of bytes that corresponds to a tag and would be inappropriately interpreted as a division between different portions of a message.
  • the DIME format breaks the message down into a plurality of data records each having a header including data indicating the length of that data record such that the message can be read and broken down into its respective data records at the receiver.
  • the present invention provides a computer program product for detecting malware, said computer program product comprising:
  • receiving code operable to receive a message containing a plurality of data records, each data record having associated record characterising data and payload data, said record characterising data including type data identifying data type of payload data of said data record and length data identifying length of said data record;
  • determining code operable to determine from type data of a data record whether or not payload data of said data record should be scanned for malware
  • scanning code operable if said type data indicates that said payload data should be scanned for malware to scan said payload data for malware
  • the invention recognises that the structure and format of messages, such as, for example, DIME messages, may be used to increase the efficiency of malware scanning. More particularly, since a message containing multiple data records includes within each data record an indication of the data type of that data record and the length of that data record, then a determination ma be made from the data type as to whether or not that particular data record should be scanned, and optionally the manner in which it should be scanned, and then the start of the next data record identified from the length data without necessarily having to process/traverse all of the preceding data records. This enables significantly more efficient malware scanning to be performed upon a received message.
  • DIME messages may be used to increase the efficiency of malware scanning. More particularly, since a message containing multiple data records includes within each data record an indication of the data type of that data record and the length of that data record, then a determination ma be made from the data type as to whether or not that particular data record should be scanned, and optionally the manner in which it should be scanned, and then the start of the next data record identified from the
  • the payload data could take a wide variety of different forms and may possibly be encoded, in preferred embodiments of the invention the payload data is unencoded.
  • the use of unencoded payload data is one of the motivations behind the adoption of this message format and has the additional advantage that malware scanning can be applied to the payload data directly without an intervening decoding or other pre-processing of the payload data being required.
  • Malware may include computer viruses, worms, Trojans, banned files, banned words, banned images and the like.
  • malware scanning detects malware within payload data, then preferred embodiments act to trigger a malware found action.
  • Preferred forms of malware found action include deleting at least the payload data, quarantining at least the payload data, disinfecting at least the payload data, repairing at least the payload data and issuing an alert message, such as to a user or administrator.
  • the messages which it is desired to scan for malware will typically be exchanged between different computers, although this need not necessarily be the case.
  • the invention is particularly well suited to embodiments in which the message is one of an e-mail message, a remote procedure call or a remote procedure response.
  • the present invention provides a method of scanning for malware within messages and an apparatus for scanning for malware within messages.
  • FIG. 1 schematically illustrates a computer network connected via the internet to a source of e-mail messages and a web server;
  • FIG. 2 schematically illustrates a remote procedure call and response using a message format
  • FIG. 3 is a flow diagram schematically illustrating message scanning
  • FIG. 4 is a diagram schematically illustrating the malware scanning of a message containing multiple data records.
  • FIG. 5 is a diagram schematically illustrating the architecture of a general purpose computer of the type which may be used to implement the above described techniques.
  • FIG. 1 schematically illustrates a local network 2 comprising a plurality of client computers 4 , 6 , 8 each connected to a DIME scanning computer 10 which serves to perform malware scanning upon any DIME messages received into the network 2 .
  • the DIME scanner 10 is connected to the internet. Via this internet connection, the DIME scanner 10 may receive e-mail messages from a remote network 12 and handle remote procedure call requests and responses to and from a web server 14 .
  • an e-mail message originates within the network 12 from a client of that network and is passed via a mail server of that network through the internet to the DIME scanner 10 before being routed on to the particular addressed client computer within the network 2 .
  • the e-mail message uses the DIME message format and includes a text body and multiple attachments.
  • DIME message format An overall description of the DIME message format may be found in the document entitled “DIME: Sending Binary Data Within Your SOAP Messages” by Matt Powell of Microsoft Corporation dated 22 Jan. 2002 and published on the MSDN internet site. Various other descriptions of the DIME message format are publicly available.
  • the e-mail message may contain computer file attachments of a variety of different types. Some of these file types, such as image files, e.g. JPEGs, will not require malware scanning as they may be considered not capable of carrying malware. Other attached computer files may include executable files which should be scanned for malware and Word documents which should be scanned for malware, such as embedded macro viruses.
  • FIG. 1 An alternative use of the DIME message format is also illustrated in FIG. 1 .
  • a client computer within the network 2 issues a remote procedure call to the web server 14 .
  • This remote procedure call may include a computer file being passed from the client computer to the web server 14 and this computer file should be malware scanned as it is outbound through the DIME scanner 10 .
  • the web server 14 will then perform the requested remote processing upon the computer file concerned and return remote procedure result data including a different computer file to the originating client computer.
  • this DIME message including the remote procedure call response is returned inbound through the DIME server 10 it is again malware scanned.
  • FIG. 2 illustrates the remote procedure call and remote procedure response flow discussed above.
  • the client computer generates a DIME message carrying the remote procedure call request and passes this to the web server via the DIME scanner which scans the outbound DIME message.
  • the web server responds to this DIME message and performs the requested remote processing before generating its reply DIME message to be returned to the client computer.
  • This reply DIME message again passes through the DIME scanner where it is scanned for malware before being received at the initiating client computer.
  • FIG. 3 schematically illustrates a flow diagram showing the processing performed by the DIME scanner 10 .
  • the DIME scanner 10 waits until a DIME message is received.
  • the DIME scanner 10 may wait until the whole DIME message has been received before it initiates malware scanning upon that message.
  • step 18 selects the first record within the message.
  • Step 20 then reads the record header information from the data record concerned.
  • Step 22 determines from the file type information contained within the record header whether or not the data payload associated with that data record should be malware scanned. As an example, if the data type indicates that the data payload is text data, or image data, then these may not need malware scanning as they may be deemed not to be capable of containing malware. The particular configuration and decision as to whether or not individual file types should be malware scanned will vary depending upon the situation.
  • malware scanner is trying to identify banned words, such as obscene or offensive words within e-mail messages
  • text data may be malware scanned to identify whether or not it contains any such banned words even if it cannot carry a virus.
  • Other data types such as executable files or computer files that may contain macros are known to represent a significant risk of malware infection and will be scanned as appropriate.
  • Those computer files (payload data) identified at step 22 as having a file type that should be scanned are passed to step 24 where the malware scanning for computer viruses, worms, Trojans, banned words, banned files, banned images etc. is performed in accordance with the user configuration and what is appropriate for the file type concerned.
  • malware found action is triggered at step 28 .
  • the malware found action may include deleting the payload data, quarantining the payload data, disinfecting the payload data, repairing the payload data, generating an alert message, such as to a user or administrator, or a combination of the above or other actions.
  • step 30 a determination is made as to whether or not the last data record within the message has yet been reached.
  • the DIME message format includes within each data record flags which indicate whether it is the first data record within that message, the last data record within that message, both or other attributes, such as being a data record that forms part (a chunk) of a computer file. These flags may be read at step 30 . If the data record is the last data record in the message, then the process terminates (or returns to step 16 to await the next DIME message). If the test at step 30 indicates that the last data record has not yet been reached, then processing proceeds to step 32 at which the next data record is selected for consideration and processing returned to step 20 .
  • FIG. 4 schematically illustrates a DIME message containing four data records. It will be seen that each data record contains a header including data identifying the type of computer file that forms the data payload associated with that data record and the length of that data record (this effectively forms a pointer to the start of the next data record or the end of the message).
  • the first data record 34 is marked with a message begins flag and carries a data payload that is text data.
  • text data is not to be malware scanned and so once the header has been read to identify that the payload data is text data, then the length data embedded in the header is used to make a jump within the DIME message to the start of the second data record 36 .
  • the header information is read which indicates that the data payload for that data record is a Word document.
  • Word documents are selected to be scanned for macro viruses and accordingly scanning of the payload data is initiated.
  • the scanning of the Word document may only need to determine whether or not the Word document contains a macro and if necessary analyse this macro.
  • the malware scan of the data record 36 may be terminated and a jump made using the length data embedded in the header to the start of the third data record 38 .
  • the type data of this third data record indicates that the payload data is a JPEG computer file. In this example JPEG computer files are not malware scanned and accordingly the length data is used to jump to the fourth data record 40 .
  • the fourth data record 40 contains an executable file as its payload data and this is subject to malware scanning to determine whether it contains a computer virus or constitutes a worm or a Trojan.
  • the fourth data record 40 also carries a flag in its header indicating that it is the end of the message and accordingly further malware scanning of the message is not required.
  • FIG. 5 schematically illustrates a general purpose computer 200 of the type that may be used to implement the above described techniques.
  • the general purpose computer 200 includes a central processing unit 202 , a random access memory 204 , a read only memory 206 , a network interface card 208 , a hard disk drive 210 , a display driver 212 and monitor 214 and a user input/output circuit 216 with a keyboard 218 and mouse 220 all connected via a common bus 222 .
  • the central processing unit 202 will execute computer program instructions that may be stored in one or more of the random access memory 204 , the read only memory 206 and the hard disk drive 210 or dynamically downloaded via the network interface card 208 .
  • the results of the processing performed may be displayed to a user via the display driver 212 and the monitor 214 .
  • User inputs for controlling the operation of the general purpose computer 200 may be received via the user input output circuit 216 from the keyboard 218 or the mouse 220 .
  • the computer program could be written in a variety of different computer languages.
  • the computer program may be stored and distributed on a recording medium or dynamically downloaded to the general purpose computer 200 .
  • the general purpose computer 200 can perform the above described techniques and can be considered to form an apparatus for performing the above described technique.
  • the architecture of the general purpose computer 200 could vary considerably and FIG. 5 is only one example.

Abstract

A malware scanner for DIME messages reads the file type associated with each data record within the DIME message to determine whether or not the payload data of that data record requires scanning. The length data within the header of each data record is used to move between data records within a DIME message as required during the malware scanning process.

Description

BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to malware scanning received messages.
2. Description of the Prior Art
It is known to provide malware scanners that scan received messages for malware such as computer viruses, worms, Trojans, banned files, banned words, banned images and the like. An example of such a malware scanner is one in which a MIME message received by an e-mail system is scanned to see if it contains malware of any of the above mentioned types. The MIME message protocol is widely used to transfer e-mail messages. It is common for e-mail messages to contain one or more attached files. These attached files often constitute the malware against which it is designed to protect the system. The MIME message format divides the total message into different portions respectively containing an encoded version of the attachment and separated by predetermined tags. When malware scanning such a MIME message the entire MIME message must be processed to identify the tags which separate different portions of the message and then those separate portions decoded and malware scanned as required. Whilst the MIME message format is highly adaptable and flexible, this format presents a difficulty to malware scanners in that a disadvantageously large processing requirement is imposed by the need to traverse the entire MIME message to identify all its portions and then decode those portions prior to scanning.
Another disadvantage of MIME messaging is that the payload data is encoded. Thus, a computer file being transferred within a MIME message is encoded into a new form which is included within the message and requires decoding by the receiver in order to recover the original computer file. This is inefficient in terms of the increased computer processing required. Furthermore, certain computer files may be in a form that is highly compressed and the encoding may make them disadvantageously larger. Furthermore, digital signature and other security measures may be disrupted by the encoding and decoding imposed by the MIME message format.
In order to address the above problems of the MIME message format that arose through encoding and decoding of computer files, a new message format has been proposed. This is the DIME format. In this message format computer files are embedded within the message in their native binary form without encoding. As the binary sequence within the embedded data is no longer controlled by the message format, the use of tags to separate different portions of the message can no longer be reliably used since a computer file may as a matter of chance contain a particular sequence of bytes that corresponds to a tag and would be inappropriately interpreted as a division between different portions of a message. Instead, the DIME format breaks the message down into a plurality of data records each having a header including data indicating the length of that data record such that the message can be read and broken down into its respective data records at the receiver.
SUMMARY OF THE INVENTION
Viewed from one aspect the present invention provides a computer program product for detecting malware, said computer program product comprising:
receiving code operable to receive a message containing a plurality of data records, each data record having associated record characterising data and payload data, said record characterising data including type data identifying data type of payload data of said data record and length data identifying length of said data record;
determining code operable to determine from type data of a data record whether or not payload data of said data record should be scanned for malware;
scanning code operable if said type data indicates that said payload data should be scanned for malware to scan said payload data for malware; and
calculating code operable if a last data record within said message has not yet been subject to said determination to calculate from said length data a start location of a next data record within said message to be subject to said determination.
The invention recognises that the structure and format of messages, such as, for example, DIME messages, may be used to increase the efficiency of malware scanning. More particularly, since a message containing multiple data records includes within each data record an indication of the data type of that data record and the length of that data record, then a determination ma be made from the data type as to whether or not that particular data record should be scanned, and optionally the manner in which it should be scanned, and then the start of the next data record identified from the length data without necessarily having to process/traverse all of the preceding data records. This enables significantly more efficient malware scanning to be performed upon a received message.
Whilst it will be appreciated that the payload data could take a wide variety of different forms and may possibly be encoded, in preferred embodiments of the invention the payload data is unencoded. The use of unencoded payload data is one of the motivations behind the adoption of this message format and has the additional advantage that malware scanning can be applied to the payload data directly without an intervening decoding or other pre-processing of the payload data being required.
It will be appreciated that whilst some of the above has discussed the DIME data format, the present techniques are not limited to this specific format although they are particularly well suited to use with the DIME message format.
It will be appreciated that the malware scanning could take a wide variety of different forms. Malware may include computer viruses, worms, Trojans, banned files, banned words, banned images and the like.
If the malware scanning detects malware within payload data, then preferred embodiments act to trigger a malware found action.
Preferred forms of malware found action include deleting at least the payload data, quarantining at least the payload data, disinfecting at least the payload data, repairing at least the payload data and issuing an alert message, such as to a user or administrator.
The messages which it is desired to scan for malware will typically be exchanged between different computers, although this need not necessarily be the case. The invention is particularly well suited to embodiments in which the message is one of an e-mail message, a remote procedure call or a remote procedure response.
Viewed from other aspects the present invention provides a method of scanning for malware within messages and an apparatus for scanning for malware within messages.
The above, and other objects, features and advantages of this invention will be apparent from the following detailed description of illustrative embodiments which is to be read in connection with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 schematically illustrates a computer network connected via the internet to a source of e-mail messages and a web server;
FIG. 2 schematically illustrates a remote procedure call and response using a message format;
FIG. 3 is a flow diagram schematically illustrating message scanning;
FIG. 4 is a diagram schematically illustrating the malware scanning of a message containing multiple data records; and
FIG. 5 is a diagram schematically illustrating the architecture of a general purpose computer of the type which may be used to implement the above described techniques.
 DESCRIPTION OF THE PREFERRED EMBODIMENTS
FIG. 1 schematically illustrates a local network 2 comprising a plurality of client computers 4, 6, 8 each connected to a DIME scanning computer 10 which serves to perform malware scanning upon any DIME messages received into the network 2. The DIME scanner 10 is connected to the internet. Via this internet connection, the DIME scanner 10 may receive e-mail messages from a remote network 12 and handle remote procedure call requests and responses to and from a web server 14. In one example an e-mail message originates within the network 12 from a client of that network and is passed via a mail server of that network through the internet to the DIME scanner 10 before being routed on to the particular addressed client computer within the network 2. The e-mail message uses the DIME message format and includes a text body and multiple attachments. An overall description of the DIME message format may be found in the document entitled “DIME: Sending Binary Data Within Your SOAP Messages” by Matt Powell of Microsoft Corporation dated 22 Jan. 2002 and published on the MSDN internet site. Various other descriptions of the DIME message format are publicly available.
The e-mail message may contain computer file attachments of a variety of different types. Some of these file types, such as image files, e.g. JPEGs, will not require malware scanning as they may be considered not capable of carrying malware. Other attached computer files may include executable files which should be scanned for malware and Word documents which should be scanned for malware, such as embedded macro viruses.
An alternative use of the DIME message format is also illustrated in FIG. 1. In this example a client computer within the network 2 issues a remote procedure call to the web server 14. This remote procedure call may include a computer file being passed from the client computer to the web server 14 and this computer file should be malware scanned as it is outbound through the DIME scanner 10. The web server 14 will then perform the requested remote processing upon the computer file concerned and return remote procedure result data including a different computer file to the originating client computer. As this DIME message including the remote procedure call response is returned inbound through the DIME server 10 it is again malware scanned.
FIG. 2 illustrates the remote procedure call and remote procedure response flow discussed above. Firstly, the client computer generates a DIME message carrying the remote procedure call request and passes this to the web server via the DIME scanner which scans the outbound DIME message. The web server responds to this DIME message and performs the requested remote processing before generating its reply DIME message to be returned to the client computer. This reply DIME message again passes through the DIME scanner where it is scanned for malware before being received at the initiating client computer.
FIG. 3 schematically illustrates a flow diagram showing the processing performed by the DIME scanner 10. At step 16 the DIME scanner 10 waits until a DIME message is received. In some embodiments the DIME scanner 10 may wait until the whole DIME message has been received before it initiates malware scanning upon that message. Alternatively, it may be possible to initiate the malware scanning before the DIME message has been fully received since the DIME message format allows the separate data records to be treated as individual entities which can be malware scanned in their own right as appropriate. Since the DIME message format allows very large messages to be exchanged, it is an advantage to be able to initiate malware scanning on these messages prior to all of the message being received as a way of reducing the latency associated with malware scanning.
Once a DIME message has been received (or at least the first data record within such a message), then step 18 selects the first record within the message. Step 20 then reads the record header information from the data record concerned. Step 22 determines from the file type information contained within the record header whether or not the data payload associated with that data record should be malware scanned. As an example, if the data type indicates that the data payload is text data, or image data, then these may not need malware scanning as they may be deemed not to be capable of containing malware. The particular configuration and decision as to whether or not individual file types should be malware scanned will vary depending upon the situation. As an example, if a malware scanner is trying to identify banned words, such as obscene or offensive words within e-mail messages, then text data may be malware scanned to identify whether or not it contains any such banned words even if it cannot carry a virus. Other data types, such as executable files or computer files that may contain macros are known to represent a significant risk of malware infection and will be scanned as appropriate. Those computer files (payload data) identified at step 22 as having a file type that should be scanned are passed to step 24 where the malware scanning for computer viruses, worms, Trojans, banned words, banned files, banned images etc. is performed in accordance with the user configuration and what is appropriate for the file type concerned. If malware is detected as determined at step 26, then a malware found action is triggered at step 28. The malware found action may include deleting the payload data, quarantining the payload data, disinfecting the payload data, repairing the payload data, generating an alert message, such as to a user or administrator, or a combination of the above or other actions. Following step 28, or subsequent to step 22, if the file type is not to be scanned, processing proceeds to step 30 at which a determination is made as to whether or not the last data record within the message has yet been reached. The DIME message format includes within each data record flags which indicate whether it is the first data record within that message, the last data record within that message, both or other attributes, such as being a data record that forms part (a chunk) of a computer file. These flags may be read at step 30. If the data record is the last data record in the message, then the process terminates (or returns to step 16 to await the next DIME message). If the test at step 30 indicates that the last data record has not yet been reached, then processing proceeds to step 32 at which the next data record is selected for consideration and processing returned to step 20.
FIG. 4 schematically illustrates a DIME message containing four data records. It will be seen that each data record contains a header including data identifying the type of computer file that forms the data payload associated with that data record and the length of that data record (this effectively forms a pointer to the start of the next data record or the end of the message). The first data record 34 is marked with a message begins flag and carries a data payload that is text data. In this example, text data is not to be malware scanned and so once the header has been read to identify that the payload data is text data, then the length data embedded in the header is used to make a jump within the DIME message to the start of the second data record 36. Starting at the beginning of the second data record 36, the header information is read which indicates that the data payload for that data record is a Word document. Word documents are selected to be scanned for macro viruses and accordingly scanning of the payload data is initiated. The scanning of the Word document may only need to determine whether or not the Word document contains a macro and if necessary analyse this macro. Once this determination has been made, the malware scan of the data record 36 may be terminated and a jump made using the length data embedded in the header to the start of the third data record 38. The type data of this third data record indicates that the payload data is a JPEG computer file. In this example JPEG computer files are not malware scanned and accordingly the length data is used to jump to the fourth data record 40.
The fourth data record 40 contains an executable file as its payload data and this is subject to malware scanning to determine whether it contains a computer virus or constitutes a worm or a Trojan. The fourth data record 40 also carries a flag in its header indicating that it is the end of the message and accordingly further malware scanning of the message is not required.
FIG. 5 schematically illustrates a general purpose computer 200 of the type that may be used to implement the above described techniques. The general purpose computer 200 includes a central processing unit 202, a random access memory 204, a read only memory 206, a network interface card 208, a hard disk drive 210, a display driver 212 and monitor 214 and a user input/output circuit 216 with a keyboard 218 and mouse 220 all connected via a common bus 222. In operation the central processing unit 202 will execute computer program instructions that may be stored in one or more of the random access memory 204, the read only memory 206 and the hard disk drive 210 or dynamically downloaded via the network interface card 208. The results of the processing performed may be displayed to a user via the display driver 212 and the monitor 214. User inputs for controlling the operation of the general purpose computer 200 may be received via the user input output circuit 216 from the keyboard 218 or the mouse 220. It will be appreciated that the computer program could be written in a variety of different computer languages. The computer program may be stored and distributed on a recording medium or dynamically downloaded to the general purpose computer 200. When operating under control of an appropriate computer program, the general purpose computer 200 can perform the above described techniques and can be considered to form an apparatus for performing the above described technique. The architecture of the general purpose computer 200 could vary considerably and FIG. 5 is only one example.
Although illustrative embodiments of the invention have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications can be effected therein by one skilled in the art without departing from the scope and spirit of the invention as defined by the appended claims.

Claims (30)

1. A computer program product embodied on a tangible computer readable medium for detecting malware, said computer program product comprising:
receiving code operable to receive a message containing a plurality of data records, each data record having associated record, characterizing data and payload data, said record characterizing data including type data identifying data type of payload data of said data record and length dam identifying length of said data record;
determining code operable to determine from type data of a data record whether or not payload data of said data record should be scanned for malware;
scanning code operable if said type data indicates that said payload data should be scanned for malware to scan said payload data for malware; and
calculating code operable if a last data record within said message has not yet been subject m said determination to calculate from said length dam a start location of a next data record within said message to be subject to said determination;
wherein said scanning of said payload data includes directly scanning said payload data in an unencoded form and is initiated before an entirety of said message is received and after at least one of said plurality of data records is received in order to reduce a latency associated with said malware scanning.
2. A computer program product as claimed in claim 1, wherein said payload data is a computer file.
3. A computer program product as claimed in claim 2, wherein said computer file directly forms said payload data without encoding.
4. A computer program product as claimed in claim 1, wherein said message is a DIME message.
5. A computer program product as claimed in claim 1, wherein said message is one of:
an e-mail message;
a remote procedure call; and
a remote procedure response.
6. A computer program product as claimed in claim 1, wherein said malware scanning scans for one or more of:
a computer virus;
a worm;
a Trojan;
a banned file;
a banned word; and
a banned image.
7. A computer program product as claimed in claim 1, wherein if malware is found within a data record, then a malware found action is triggered.
8. A computer program product as claimed in claim 7, wherein said malware found action is one or more of:
deleting at least said payload data of said data record;
quarantine at least said payload data of said data record;
disinfecting at least said payload data of said data record;
repairing at least said payload data of said data record; and
generating an alert message.
9. A computer program product as claimed in claim 1, wherein a data record within said message comprises a further message.
10. A computer program product as claimed in claim 1, wherein a type of said malware scanning is performed according to a user configuration and said type data.
11. A method of detecting malware, said method comprising the steps of:
receiving a message containing a plurality of data records, each data record having associated record characterizing data and payload data, said record characterizing data including type data identifying data type of payload data of said data record and length data identifying length of said data record;
determining from type data of a data record whether or not payload data of said data record should be scanned for malware;
if said type data indicates that said payload data should be scanned for malware, then scanning said payload data for malware; and
if a last data record within said message has not yet been subject to said step of determining, then calculating from said length data a start location of a next data record within said message to be subject to said step of determining;
wherein said scanning of said payload data includes directly scanning said payload data in an unencoded form and is initiated before an entirety of said message is received and after at least one of said plurality of data records is received in order to reduce a latency associated with said malware scanning.
12. A method as claimed in claim 11, wherein said payload data is a computer file.
13. A method as claimed in claim 12, wherein said computer file directly forms said payload data without encoding.
14. A method as claimed in claim 11, wherein said message is a DIME message.
15. A method as claimed in claim 11, wherein said message is one of:
an e-mail message;
a remote procedure call; and
a remote procedure response.
16. A method as claimed in claim 11, wherein said malware scanning scans for one or more of:
a computer virus;
a worm;
a Trojan;
a banned file;
a banned word; and
a banned image.
17. A method as claimed in claim 11, wherein if malware is found within a data record, then a malware found action is triggered.
18. A method as claimed in claim 17, wherein said malware found action is one or more of:
deleting at least said payload data of said data record;
quarantine at least said payload data of said data record;
disinfecting at least said payload data of said data record;
repairing at least said payload data of said data record; and
generating an alert message.
19. A method as claimed in claim 11, wherein a data record within said message comprises a further message.
20. A computer program product as claimed in claim 1, wherein said record characterizing data further includes data representing whether said associated data record is a portion of a data file.
21. Apparatus for detecting malware, said apparatus comprising:
receiving logic operable to receive a message containing a plurality of data records, each data record having associated record characterizing data and payload data, said record characterizing data including type data identifying data type of payload data of said data record and length data identifying length of said data record;
determining logic operable to determine from type data of a data record whether or not payload data of said data record should be scanned for malware;
scanning logic operable if said type data indicates that said payload data should be scanned for malware to scan said payload data for malware; and
calculating logic operable if a last data record within said message has not yet been subject to said determination to calculate from said length data a start location of a next data record within said message to be subject to said determination;
wherein said scanning of said payload data includes directly scanning said payload data in an unencoded form and is initiated before an entirety of said message is received and after at least one of said plurality of data records is received in order to reduce a latency associated with said malware scanning.
22. Apparatus as claimed in claim 21, wherein said payload data is a computer file.
23. Apparatus as claimed in claim 22, wherein said computer file directly forms said payload data without encoding.
24. Apparatus as claimed in claim 21, wherein said message is a DIME message.
25. Apparatus as claimed in claim 21, wherein said message is one of:
an e-mail message;
a remote procedure call; and
a remote procedure response.
26. Apparatus as claimed in claim 21, wherein said malware scanning scans for one or more of:
a computer virus;
a worm;
a Trojan;
a banned file;
a banned word; and
a banned image.
27. Apparatus as claimed in claim 21, wherein if malware is found within a data record, then a malware found action is triggered.
28. Apparatus as claimed in claim 27, wherein said malware found action is one or more of:
deleting at least said payload data of said data record;
quarantine at least said payload data of said data record;
disinfecting at least said payload data of said data record;
repairing at least said payload data of said data record; and
generating an alert message.
29. Apparatus as claimed in claim 21, wherein a data record within said message comprises a further message.
30. A computer program product as claimed in claim 1, wherein said payload data with said type data indicative of image data and text data does not require malware scanning and said payload data with said type data indicative of executable data.
US10/096,430 2002-03-13 2002-03-13 Malware scanning messages containing multiple data records Expired - Fee Related US7376842B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/096,430 US7376842B1 (en) 2002-03-13 2002-03-13 Malware scanning messages containing multiple data records

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/096,430 US7376842B1 (en) 2002-03-13 2002-03-13 Malware scanning messages containing multiple data records

Publications (1)

Publication Number Publication Date
US7376842B1 true US7376842B1 (en) 2008-05-20

Family

ID=39387721

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/096,430 Expired - Fee Related US7376842B1 (en) 2002-03-13 2002-03-13 Malware scanning messages containing multiple data records

Country Status (1)

Country Link
US (1) US7376842B1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080077995A1 (en) * 2004-09-15 2008-03-27 Jon Curnyn Network-Based Security Platform
US20090044276A1 (en) * 2007-01-23 2009-02-12 Alcatel-Lucent Method and apparatus for detecting malware
US20090328210A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Chain of events tracking with data tainting for automated security feedback
US20100057903A1 (en) * 2006-07-19 2010-03-04 Chronicle Solutions (Uk) Limited Network monitoring by using packet header analysis
US7971254B1 (en) * 2004-01-28 2011-06-28 Netgear, Inc. Method and system for low-latency detection of viruses transmitted over a network
US8291497B1 (en) * 2009-03-20 2012-10-16 Symantec Corporation Systems and methods for byte-level context diversity-based automatic malware signature generation
US20130074185A1 (en) * 2011-09-15 2013-03-21 Raytheon Company Providing a Network-Accessible Malware Analysis
US8799450B2 (en) * 2008-10-14 2014-08-05 Mcafee, Inc. Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5319776A (en) * 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US6029256A (en) * 1997-12-31 2000-02-22 Network Associates, Inc. Method and system for allowing computer programs easy access to features of a virus scanning engine
US20020103783A1 (en) * 2000-12-01 2002-08-01 Network Appliance, Inc. Decentralized virus scanning for stored data
US6842861B1 (en) * 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5319776A (en) * 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US6029256A (en) * 1997-12-31 2000-02-22 Network Associates, Inc. Method and system for allowing computer programs easy access to features of a virus scanning engine
US6842861B1 (en) * 2000-03-24 2005-01-11 Networks Associates Technology, Inc. Method and system for detecting viruses on handheld computers
US20020103783A1 (en) * 2000-12-01 2002-08-01 Network Appliance, Inc. Decentralized virus scanning for stored data

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Direct Internet Message Encapsulation" (Henrik F. Nielsen, Feb. 1, 2002). *
"Direct Internet Message Encapsulation" (Henrik F. Nielsen, May 23, 2001). *
Powell, "DIME: Sending Binary Data with your SOAP Messages," Microsoft Corporation, Jan. 22, 2002.

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US7971254B1 (en) * 2004-01-28 2011-06-28 Netgear, Inc. Method and system for low-latency detection of viruses transmitted over a network
US20080077995A1 (en) * 2004-09-15 2008-03-27 Jon Curnyn Network-Based Security Platform
US8386598B2 (en) * 2006-07-19 2013-02-26 Mcafee, Inc. Network monitoring by using packet header analysis
US9264378B2 (en) * 2006-07-19 2016-02-16 Mcafee, Inc. Network monitoring by using packet header analysis
US20100057903A1 (en) * 2006-07-19 2010-03-04 Chronicle Solutions (Uk) Limited Network monitoring by using packet header analysis
US8954581B2 (en) * 2006-07-19 2015-02-10 Mcafee Inc. Network monitoring by using packet header analysis
US20150113135A1 (en) * 2006-07-19 2015-04-23 Mcafee, Inc. Network monitoring by using packet header analysis
US20130166583A1 (en) * 2006-07-19 2013-06-27 Stephen Robinson Network monitoring by using packet header analysis
US8112801B2 (en) * 2007-01-23 2012-02-07 Alcatel Lucent Method and apparatus for detecting malware
US20090044276A1 (en) * 2007-01-23 2009-02-12 Alcatel-Lucent Method and apparatus for detecting malware
US20090328210A1 (en) * 2008-06-30 2009-12-31 Microsoft Corporation Chain of events tracking with data tainting for automated security feedback
US9544360B2 (en) 2008-10-14 2017-01-10 Mcafee, Inc. Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
US8799450B2 (en) * 2008-10-14 2014-08-05 Mcafee, Inc. Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
US10419525B2 (en) 2008-10-14 2019-09-17 Mcafee, Llc Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
US8291497B1 (en) * 2009-03-20 2012-10-16 Symantec Corporation Systems and methods for byte-level context diversity-based automatic malware signature generation
US20130074185A1 (en) * 2011-09-15 2013-03-21 Raytheon Company Providing a Network-Accessible Malware Analysis
US9003532B2 (en) * 2011-09-15 2015-04-07 Raytheon Company Providing a network-accessible malware analysis

Similar Documents

Publication Publication Date Title
US7376842B1 (en) Malware scanning messages containing multiple data records
US10462163B2 (en) Resisting the spread of unwanted code and data
US7107617B2 (en) Malware scanning of compressed computer files
US6851058B1 (en) Priority-based virus scanning with priorities based at least in part on heuristic prediction of scanning risk
US8510839B2 (en) Detecting malware carried by an E-mail message
US8719928B2 (en) Method and system for detecting malware using a remote server
EP1385303B1 (en) Method and device for preventing malicious computer code from propagating
KR101292973B1 (en) Enhanced e­mail folder security
US20020004908A1 (en) Electronic mail message anti-virus system and method
US7899870B2 (en) Determination of participation in a malicious software campaign
US7644352B2 (en) Content scanning of copied data
US8291505B2 (en) Detecting computer data containing compressed video data as banned computer data
JP2017526067A (en) Virus scanning method and virus scanning apparatus
US7900254B1 (en) Identifying malware infected reply messages
US11516249B1 (en) On-demand scanning of e-mail attachments
US10902125B2 (en) Infected file detection and quarantine system
US20060041941A1 (en) Messaging virus protection program and the like
US11126722B1 (en) Replacement of e-mail attachment with URL
KR102412196B1 (en) Method for Detecting Malicious Codes of Compressed File
KR20240031037A (en) Technique for providing electronic messages
Rascagnères The andromeda/gamarue botnet is on the rise again
AU2012258355B9 (en) Resisting the Spread of Unwanted Code and Data

Legal Events

Date Code Title Description
AS Assignment

Owner name: NETWORKS ASSOICATES TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HURSEY, NEIL JOHN;REEL/FRAME:012692/0431

Effective date: 20020306

AS Assignment

Owner name: MCAFEE, INC., CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016593/0812

Effective date: 20041119

Owner name: MCAFEE, INC.,CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016593/0812

Effective date: 20041119

CC Certificate of correction
FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PETITION RELATED TO MAINTENANCE FEES FILED (ORIGINAL EVENT CODE: PMFP); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PETITION RELATED TO MAINTENANCE FEES GRANTED (ORIGINAL EVENT CODE: PMFG); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
REIN Reinstatement after maintenance fee payment confirmed
FPAY Fee payment

Year of fee payment: 4

PRDP Patent reinstated due to the acceptance of a late maintenance fee

Effective date: 20120625

SULP Surcharge for late payment
FP Lapsed due to failure to pay maintenance fee

Effective date: 20120520

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20160520